It’s about 80 days and counting until federal agencies are required to submit their risk management reports to the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) under President Donald Trump’s Cybersecurity Executive Order. What will yours say? And what will you have to show for your time in developing it?
Federal agencies manage risk through the system assessment and authorization process governed by Federal Information Processing Standard 200, Minimum Security Requirements for Federal Information and Information Systems, and NIST Special Publication 800-37, Guide for Applying the Risk Management Framework (RMF) to Federal Information Systems. However, all too often, agencies seek only to achieve the holy grail of an authority to operate for individual systems. What’s usually lost in this process is an actual accounting for and management of risks at the organizational level, beyond the administrative exercise. It is here where many of these risks go to die — at least until the unthinkable happens and a risk becomes an incident.
The president’s executive order is an opportunity to manage risk at the organizational level. At Lunarline, we use the Operationally Critical Threat and Vulnerability Evaluation (OCTAVE) Allegro risk-management model developed by Carnegie Mellon University’s Software Engineering Institute to support the NIST RMF for federal agencies (as well as internally within our own company). OCTAVE Allegro supports risk assessments as outlined in NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessment, and provides a step-by-step method to:
- Establish Risk-Measurement Criteria
- Develop Information Asset Profiles
- Identify Information Asset Containers
- Identify Areas of Concern
- Identify Threat Scenarios
- Identify Risks
- Analyze Risks
- Select Mitigation Approaches
OCTAVE Allegro provides pre-formatted checklists and worksheets that can be adapted to the needs of the organization. (We find it useful to automate these artifacts via a simple Microsoft Access tool. This reduces the need to evaluate and install costly governance, risk-management and compliance tools, at least until you’re ready.) Our experience has shown that by capturing risks over time, and scoring them according to an algorithm we developed based on likelihood and weighted impact criteria, decision-makers can be more confident in their understanding of their organization’s risk posture. Areas of concern can stem from non-compliant NIST RMF controls, security bulletins, intelligence reports or simply a concern over prospective system change. Because leadership chooses the criteria used for assessing the risk, their priorities are factored in from the start.
Build your risk assessment and mitigation process around a repeatable risk-management strategy as described in NIST 800-37. This risk-management strategy should identify how risks affect the organization’s goals, objectives and mission-essential functions, not just the technological considerations on which many agencies now focus. Resulting products, such as risk registers and risk management reports, should be tailored to decision-makers’ needs and be reviewed regularly as conditions change, such as changes in the threat environment. WannaCry anyone?
Leaders can be more confident in allocating resources because they are confident in the underlying risk assessment. This can be seen in the executive order’s requirement to include resource considerations regarding the agency’s risk mitigation decisions. Fewer resources can be devoted to mitigating lower priority risks achieving greater return on investment. In today’s budget climate, this is important as an agency’s chief information officer must be able to defend his or her prioritization decisions. It’s no surprise that the White House is asking for the resources necessary to implement risk mitigations as part of the report to OMB and DHS.
So now you must answer the data call mandated in the executive order. This alone will take time and resources. Wouldn’t it be great if the time necessary to answer the call benefited the agency in the long run? At Lunarline, we recommend using this time to build a sustainable organization-level risk-management program that will benefit the agency once this report is put to bed. Then agency decision-makers can feel more comfortable knowing that they’ve increased their organization’s resiliency in the real world and not just on paper.
As always, Lunarline stands ready to help your agency in building a sustainable and effective risk-management program that meets your needs and available resources. To learn more about us, visit us online or contact one of our experts today.